This is correct. There is currently some text in the security consideration but we can re-emphasize this of course. This however does not seem to me a huge issue as inbound SPI are selected by the peer using these inbound SPI. Note also that a full SPI value is agreed with IKE, diet-esp only performs the compression / decompression.
Yours, Daniel On Tue, May 24, 2022 at 12:14 PM Robert Moskowitz <rgm-...@htt-consult.com> wrote: > Scott, > > That is my question/point. And if I understand diet-esp and lsb, then the > 8-bit SPI maps to the full SPI in the SA is xxxxxx07? > > Ah, the *Receiver* picks the incoming SPIs. It has been so many years > since I looked into the protocol/code that I lost sight of this. I had it > reversed. Thus the receiver MUST be careful in selecting its incoming SPIs > such that there is no collision. > > The draft needs to spell this out. > > And for a UAS Network Remote ID Service Provider, it would use a 2-byte > transmitted SPI to allow for a reasonable number of UAS in service at any > time... > > On 5/24/22 11:30, Scott Fluhrer (sfluhrer) wrote: > > I believe that the question is “when someone receives an IPsec packet, how > do they determine the SA, assuming that they have negotiated both standard > SAs (with 32 bit SPIs), and diet-esp (with shorter SPIs).” > > > > My initial assumption was that, as the receiver picks its incoming SPIs, > that they pick them to allow unambiguous lookup. For example, if a > diet-esp inbound SA has an 8 bit SPI of 07, that means that the > implementation ensures that it does not have any standard inbound SAs with > SPIs of the form 07xxxxxxxx. > > > > It might not be totally unreasonable if the diet draft spelled out a > method for achieving this… > > > > *From:* IPsec <ipsec-boun...@ietf.org> <ipsec-boun...@ietf.org> *On > Behalf Of *Paul Wouters > *Sent:* Tuesday, May 24, 2022 11:14 AM > *To:* Robert Moskowitz <rgm-...@htt-consult.com> <rgm-...@htt-consult.com> > *Cc:* IPsecME WG <ipsec@ietf.org> <ipsec@ietf.org> > *Subject:* Re: [IPsec] diet-esp - How do you know? > > > > > > On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz <rgm-...@htt-consult.com> > wrote: > > I think there is something else I am missing here. > > How does the receiving system 'know' that the packet is a diet-esp packet? > > > > > https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02 > > > > It's negotiated with IKEv2. > > > > I guess the IKE stack has to signal this to the ESP implementation on what > to expect when > > the policy is installed ? > > > > Paul > > > > _______________________________________________ > IPsec mailing listIPsec@ietf.orghttps://www.ietf.org/mailman/listinfo/ipsec > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > -- Daniel Migault Ericsson
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
